GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.


  1. Tomi Engdahl says:

    Mark Scott / Politico:
    Activists and some legislators say that a GDPR-like bill to give Washington state some of the toughest privacy standards in the US was diluted by tech lobbyists

    How lobbyists rewrote Washington state’s privacy law

    Washington state was writing European-style legislation. Then corporate lobbyists got involved.

  2. Tomi Engdahl says:

    GDPR Conformance Does Not Excuse Companies from Vicarious Liability

    The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).

  3. Tomi Engdahl says:

    Steve Ranger / ZDNet:
    UK’s tax authority to delete records of ~5M people from its Voice ID biometric voice security system because it did not have clear user consent, violating GDPR

    HMRC to delete five million biometric voice records

    ‘Biggest ever’ deletion of biometric data by government comes after HMRC obtained data “unlawfully” according to privacy regulator.
    Steve Ranger

  4. Tomi Engdahl says:

    UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDs
    Yes, yes, yes, we’ve told the ICO we are doing so, says HMRC

  5. Tomi Engdahl says:

    Pitääkö data poistaa nauhaltakin, jos joku pyytää? – näin gdpr vaikuttaa varmistusnauhoihin

    EU on säätänyt kansalaisille mahdollisuuden vaatia verkkopalveluilta omien tietojensa poistamista.

    Tallennuslaitteita myyvän MultiComin toimitusjohtajan Timo Danilotschkin mukaan tietojen poistamiseen liittyy dilemma: tietojen säilyttämisvelvollisuudet voivat olla ristiriidassa EU:n suoman oikeuden tulla unohdetuksi kanssa.

    ”Jos datanpoistopyyntö on oikeutettu ja niin tehdään, voidaan samalla loukata tiedon historiallista eheyttä koskevia tai muita säädöksiä, kuten esimerkiksi kirjanpidon talleaikoihin liittyviä säädöksiä. Myöhemmin voisi olla oikeustapaus, jossa tarvitsisi todistaa, että mitä tallennettu tieto oli aiemmin, niin silloin jouduttaisiin ongelmiin, jos tietoa on jälkikäteen käpälöity”, Danilotchkin selittää.

    Ainoa käytännöllinen tapa noudattaa molempia säädöksiä samaan aikaan olisi pitää operatiivinen ja varmistuskäytössä oleva data erillään.

  6. Tomi Engdahl says:

    ”Gdpr vaikutti paljon” – tietosuojavaltuutetun työmäärä kasvoi voimakkaasti

  7. Tomi Engdahl says:

    Where GDPR goes next: How digital privacy is taking over the world

    One year on from the EU introducing its data protection laws, the impact is spreading around the world.

    Designed to update the privacy rights of internet users and ensure organisations are transparent and responsible when handling the personal information of customers and clients, the European Union’s General Data Protection Regulation (GDPR) laws came into force on May 25 last year.

    GDPR was designed to protect EU citizens’ data, but the open nature of the web inevitably means it has an impact beyond its own shores. Even companies outside of the EU will often have to comply with the data protection legislation – for example, if they offer goods or services to EU citizens or if they have a branch somewhere within the trading bloc.

    This extended reach of GDPR has lead to some unexpected outcomes. One example: European internet users looking to visit some US-based news publications may find that they can’t view the websites – instead being met with pages explaining the publication didn’t comply with the new legislation and blocked them out instead.

    Some eventually found solutions to this, while a year on from the legislation being introduced some US publications continue to only show a holding page to European visitors.

    “To a large extent in the US, most users attribute GDPR with an influx of cookie notifications and see it as an annoyance, rather than what it is: an attempt by regulators to give the consumer a level of visibility and control over what data is being collected about them,” says Tim Mackey, senior technical evangelist at Synopsys.

    But soon enough, even for businesses that have no involvement with the EU, there may be no hiding from data protection legislation as countries and regions around the world look to implement their own privacy laws, including Brazil, Japan, South Korea, India and others.

    One of those is the home of Silicon Valley, California, which is set to introduce the California Consumer Privacy Act as of January 1 2020.

    Apple CEO Tim Cook has called for the US to introduce an equivalent to GDPR to prevent data being weaponised against users. Facebook CEO Mark Zuckerberg recently spoke about how privacy will be the future of Facebook – even although he admits himself that some may find that hard to believe.

  8. Tomi Engdahl says:

    Alfred Ng / CNET:
    On the first anniversary of GDPR, Microsoft calls for a similar privacy law in the US that puts the burden on the companies that collect and use sensitive data — Microsoft’s idea of a US privacy law would make it easier for people to protect their data. — The company’s corporate vice president …

    Microsoft wants a US privacy law that puts the burden on tech companies

    Europe’s privacy law went into effect nearly a year ago. It’s time for the US to catch up, the tech giant says.

  9. Tomi Engdahl says:

    Matthew Wall / BBC:
    Since GDPR, Ireland’s Data Protection Commission says it has launched 19 cross-border investigations, 11 of which focus on Facebook, WhatsApp, and Instagram — Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic …

    How Ireland became Europe’s data watchdog

    Social media giant Facebook and its subsidiaries Instagram and WhatsApp have been the subject of most data investigations in the Republic of Ireland since the European Union’s new data protection regulation came into force a year ago.

  10. Tomi Engdahl says:

    Philip Nabben / Lexology:
    In the year since GDPR took effect, a look at the first wave of decisions and fines issued by data protection authorities in EU countries — European Union, France, Germany — On Saturday 25 May 2019, the EU General Data Protection Regulation (GDPR), which aims to protect personal data including …

    The GDPR: one year on

  11. Tomi Engdahl says:

    One Year on, EU’s GDPR Sets Global Standard for Data Protection

    The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.

    The “General Data Protection Regulation” (GDPR), launched on May 25 last year, enhances the rights of internet users and imposes a wide range of obligations on companies, including that they request explicit consent to use personal data collected or processed in the European Union.

  12. Tomi Engdahl says:

    One Year on, EU’s GDPR Sets Global Standard for Data Protection

    The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.

  13. Tomi Engdahl says:

    Analysis Shows Poor GDPR Compliance in European Websites

    Marking the one-year anniversary of GDPR coming into force (May 25, 2018), a web-scanning service has analyzed the visible GDPR compliance of the 100 most popular websites in each of the 28 European member states. The scan is non-intrusive. As a result, it cannot say that an organization is compliant (non-compliance can occur deep in the system), but it can say if an organization is not compliant simply by examining the parts that are visible over the internet.

    The firm concerned, ImmuniWeb (formerly High-Tech Bridge), has added GDPR scan components to its existing website security test, and made this a free offering. The four visible elements of GDPR compliance that it checks are access to the privacy policy, insecure use of cookies, outdated or vulnerable content management system (CMS) components, and lack of HTTPS encryption (or use of SSLv3, which is more than 20 years old and should have finally died with the POODLE attack in 2014).

    The results are surprisingly inconsistent across the different countries, and generally not very reassuring. However, website security and use of HTTPS are promising, with an average of just 6.75% and 5.96% failures. Greece is the worst nation for website security, with a 38% failure rate. Malta is worst on HTTPS with a 29% failing.

    It is difficult to draw clear conclusions from this survey — but two things do stand out. Firstly, not a single European country displays complete GDPR conformance across all its websites. Secondly, website operators seem to draw a distinction between security and compliance. Website security issues are given higher importance (an overall 6.75% failing) than cookie protection and privacy policy issues (78.25% and 51.5% failing respectively).

  14. Tomi Engdahl says:

    Google faces Irish inquiry over possible breach of privacy laws
    Technology firm’s Ad Exchange processing of users’ personal data being investigated

  15. Tomi Engdahl says:

    UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users

    The UK’s Information Commissioner is starting off the week with a GDPR bang: this morning, it announced that it has fined British Airways and its parent International Airlines Group (IAG) £183.39 million ($230 million) in connection with a data breach that took place last year that affected a whopping 500,000 customers browsing and booking tickets online. In an investigation, the ICO said that it found “that a variety of information was compromised by poor security arrangements at [BA], including log in, payment card, and travel booking details as well name and address information.”

    The fine — 1.5% of BA’s total revenues for the year that ended December 31, 2018

  16. Tomi Engdahl says:

    Marriott to face $123 million fine by UK authorities over data breach

    The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123M) fine for a data breach that exposed up to 383 million guests.

  17. Tomi Engdahl says:

    The big picture: Privacy laws, including Europe’s mammoth General Data Protection Regulation and California’s recently passed regulations, often include provisions to allow people to request the personal information that companies have compiled on them.

    Yes, but: These laws have not generally done a good job clarifying acceptable ways to do this safely.

    Details: James Pavur, a Ph.D. student at Oxford University, bet his fiancee he could use GDPR to steal her personal information.

    He contacted around 150 companies, requesting her data via a fake email account in her name. 83 of the firms had her data, and roughly 1/4 of those provided it to him, no questions asked.
    “Companies are afraid under GDPR of telling you no.”
    — James Pavur


  18. Tomi Engdahl says:

    Sites using Facebook ‘Like’ button liable for data, EU court rules

    Europe’s top court ruled Monday (30 July) that companies that embed Facebook’s “Like” button on their websites must seek users’ consent to transfer their personal data to the US social network, in line with the bloc’s data privacy laws

    According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.

  19. Tomi Engdahl says:

    “No matter what transfer mechanism you use, you end up with a conflict. The U.S. laws allow espionage against EU citizens” – Max Schrems, lawyer and privacy activist

  20. Tomi Engdahl says:

    Preclusio uses machine learning to comply with GDPR, other privacy regulations

  21. Tomi Engdahl says:

    Leo Kelion / BBC:
    Researcher says one in four UK- and US-based companies contacted to test a GDPR “right of access” request made in someone else’s name revealed personal data

    Black Hat: GDPR privacy law exploited to reveal personal data

    About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.

    The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.

    It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

    “Generally if it was an extremely large company – especially tech ones – they tended to do really well,” he told the BBC.

    “Small companies tended to ignore me.

    “But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”

  22. Tomi Engdahl says:

    Avoid the chaos of GDPR in the realm of IoT

    Faced with stricter regulations on data processing under the EU’s GDPR (General Data Protection Regulation) and a growing demand for IoT-functionality within the field of consumer devices, companies now have an important decision to make when it comes to choosing the correct IoT platform.

    In this blog post, we’ll boil it down to just one important choice you have to make.

    Failing to comply with these new regulations can result in a hefty fine of up 20 million Euros or 4 percent of gross annual turnover, depending on which sum is higher. In addition to a financial penalty, non-compliance can severely tarnish a company’s reputation and reduce trust among its customer base.

    The degree to which GDPR complicates data processing depends on the type of data collected and the way it is processed. GDPR applies to sensitive personal data, but in the field of IoT it is not always clear what this constitutes. In addition, your choice of platform dictates whether you will be affected by GDPR.

    Database-driven or P2P IoT: an important decision for any company

    Keep it simple – and secure
    The alternative to the cloud is a P2P IoT platform. Here, the client interacts directly with the device and no data is stored in the cloud.

    We also use the cloud, but the P2P technology we run simply acts like a telephone switchboard – mediating direct, end-to-end encrypted connections between the client (app on a smartphone or tablet) and the IoT device. Once this connection is established, the cloud server is out of the loop, and the connection is only between the client and the IoT device.

  23. Tomi Engdahl says:

    Miksi markkinointilupa on tärkeä myös tulevaisuudessa?

  24. Tomi Engdahl says:

    CJEU on cookies: ‘Consent or be tracked’ is not an option
    By EDRi

    Today, on 1 October 2019, the Court of Justice of the European Union (CJEU) gave its ruling on “cookie consent” requirements. European Digital Rights (EDRi) welcomes the CJEU’s confirmation that under the current data protection framework, cookies can only be set if users have given consent that is valid under the General Data Protection Regulation (GDPR). This means consent needs to be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of a user’s agreement.


Leave a Comment

Your email address will not be published. Required fields are marked *